The Phusion Passenger 4.0 betas contain a vulnerability which allows arbitrary files to be deleted on the system. The vulnerability is local and cannot be exploited remotely. The vulnerability can only be triggered during application startup (e.g. during evaluation of config.ru). Environments that are at risk include, but may not be limited to:

“Phusion” and “Phusion Passenger” are registered trademarks of Phusion. “Rails”, “Ruby on Rails” and the Rails logo are registered trademarks of David Heinemeier Hansson. All other trademarks are property of their respective owners.